What Is TLPT? Threat-Led Penetration Testing Explained

Threat-Led Penetration Testing, or TLPT, is becoming one of the most discussed cybersecurity topics in regulated industries, especially financial services. That is not because it replaces penetration testing, but because it answers a broader question: not only whether a weakness can be exploited, but whether an organization can detect, contain, and withstand a realistic attack against its critical functions. Under the European framework, TLPT is closely linked to DORA and operationalized through TIBER-EU, which defines a controlled, intelligence-led approach for testing cyber resilience on live production systems.

What is TLPT?

At its core, TLPT is an intelligence-led test built around an organization’s critical or important functions and the systems that support them. The ECB’s TIBER-EU framework describes it as a controlled, bespoke, intelligence-led red team test designed to simulate realistic attacks on live production systems. The purpose is not to produce a simple pass-or-fail result, but to reveal strengths and weaknesses in protection, detection, and response so the tested entity can improve its overall cyber resilience.

That point matters. A standard security test may tell you where a vulnerability exists. TLPT is designed to show how a real attack path could affect the business, how the defenders respond, and whether critical services remain resilient under pressure. In other words, the focus shifts from isolated technical findings to operational resilience.

Why TLPT matters

Organizations with mature security programs eventually reach a point where a list of technical issues is no longer enough. They need to know whether monitoring works, whether escalation happens fast enough, whether defenders can connect weak signals into a real incident, and whether critical services can continue operating during an attack. TIBER-EU explicitly frames testing around protection, detection, and response capabilities rather than vulnerability discovery alone.

This is why TLPT is especially relevant in environments where service disruption has wider consequences, such as banking, payments, market infrastructure, and other digitally dependent sectors. The method is designed for critical functions, their supporting people, processes, and technologies, and the realistic threat actors most likely to target them.

How TLPT works

Under TIBER-EU, TLPT is not a one-off attack simulation. It is an end-to-end process with defined phases, stakeholders, governance, and deliverables. The ECB’s framework lays out preparation, threat intelligence and scenario building, red team testing, closure, reporting, remediation, and attestation. The broader point is that the offensive exercise is only one part of a much larger controlled process.

The process starts with scoping. The organization and the control team identify the critical or important functions to be tested, define boundaries, and set the conditions for a safe exercise. The control team is responsible for the end-to-end conduct of the test, risk management controls, communication channels, stakeholder coordination, and keeping the exercise within agreed limits.

Next comes threat intelligence. This is one of the defining features of TLPT. The threat intelligence provider uses the scoped critical functions, key systems, objectives, and the entity’s business context to identify plausible threat actors, their motivations, and their tactics, techniques, and procedures. Those findings are then used to design realistic threat scenarios rather than generic attack paths.

After that, the red team testing phase executes the agreed scenarios in a controlled manner on live production systems. TIBER-EU describes these tests as realistic intelligence-led red team tests on live production systems, while the control structure ensures that business impact stays within the tested entity’s risk appetite.

The exercise does not end when the attack path is demonstrated. TIBER-EU also includes blue team reporting, purple teaming, and remediation planning so the organization can understand what was detected, what was missed, how defenders reacted, and what must change in people, process, and technology. In the 2025 update aligned with DORA, the ECB explicitly noted that purple teaming is mandatory under TIBER-EU as prescribed by the DORA RTS.

TLPT vs penetration testing

A classical penetration test is usually centered on a specific asset or scope: a web application, an API, an external perimeter, a mobile app, or an internal network segment. Its purpose is to find technical weaknesses, validate exploitability, confirm risk, and produce remediation guidance for the tested scope. That remains valuable, but it is a different objective from testing the resilience of critical business functions.

TLPT starts from the opposite direction.

Instead of asking,

it asks,

Because of that, TLPT is built around business-critical functions, live production environments, intelligence-led scenarios, and end-to-end resilience rather than technical findings alone.

Another major difference is the role of threat intelligence. In a conventional penetration test, threat intelligence may inform priorities, but it is not always the foundation of the exercise. In TLPT, it is foundational. The scenario, attacker objectives, techniques, and likely path to the target are all derived from targeted intelligence about plausible threat actors and the organization’s actual exposure.

The output is also different. A penetration test typically ends with a list of vulnerabilities, exploit paths, risk ratings, and recommendations. TLPT produces a broader picture: which controls worked, where detection failed, how the blue team responded, whether coordination was effective, and what must change to improve resilience. TIBER-EU guidance includes dedicated reporting for the red team side, the blue team side, remediation planning, summary reporting, and attestation.

TLPT vs red teaming

This distinction is often misunderstood. TLPT is not merely another name for red teaming. Within the TIBER-EU model, red team testing is one defined phase inside a broader threat-led process that also includes scoping, threat intelligence, control-team governance, reporting, remediation, and attestation. In practice, that means TLPT is wider than the offensive exercise alone.

A good way to frame it is this: red teaming is the attack execution component; TLPT is the full resilience-testing framework around it. That framing is consistent with the ECB’s explanation of TIBER-EU, which separates initiation, scoping, threat intelligence, red team testing, blue team reporting, remediation planning, and final summary and attestation into distinct stages.

Who needs TLPT?

TLPT is most relevant for organizations that already have a baseline level of security maturity. If a company still lacks basic vulnerability management, usable logging, incident response ownership, or visibility across critical assets, it usually makes more sense to strengthen those foundations first. TLPT is most valuable when an organization is ready to test how its existing controls, detection, response, and decision-making work under a realistic attack scenario. This is a practical inference from the TIBER-EU process, which assumes formal scoping, control-team governance, risk management, live-environment safeguards, and post-test remediation.

It is especially relevant for financial entities and other organizations whose disruption would have a direct operational, regulatory, or systemic impact. The ECB states that TIBER-EU is designed for entities providing core financial infrastructure, though it can also be used in other critical sectors.

Why TLPT is especially relevant now

TLPT is receiving more attention because it has moved from a niche security practice into a regulated resilience requirement. DORA entered into force on 16 January 2023 and applies from 17 January 2025, and Article 26 requires certain financial entities to carry out advanced testing by means of TLPT at least every three years.

The ECB updated TIBER-EU in 2025 to align it with the DORA regulatory technical standards on TLPT. According to the ECB, the update incorporated strict timelines for deliverables, made purple teaming mandatory under the framework, and aligned terminology and process steps with DORA requirements. The ECB also states that TIBER-EU now provides detailed guidance on how to complete DORA TLPT in a qualitative, controlled, and safe manner across the EU.

So the current relevance of TLPT is not only technical. It is also strategic and regulatory. Security leaders, risk teams, compliance functions, and internal audit are paying closer attention because TLPT now sits directly at the intersection of cyber resilience, governance, and supervisory expectations.

TLPT, DORA, and financial institutions

For financial institutions, TLPT is no longer just an advanced security option. Under DORA, certain entities identified as being in scope must undergo TLPT on a recurring basis. The regulation and the supporting RTS framework make clear that this is not intended as a generic security assessment, but as advanced testing of resilience against realistic threat-led attacks on critical live production systems.

That is why TIBER-EU matters so much in Europe. The ECB has stated that there are no differences between the TIBER-EU testing process and the TLPT process set out in DORA, and it encourages authorities to use the framework to guide and manage these exercises. For institutions preparing for DORA, TIBER-EU is therefore not background reading; it is the practical operating model for how TLPT should be run.

FAQ

Is TLPT the same as a penetration test?

No. A penetration test usually focuses on a defined technical scope and aims to identify and validate exploitable weaknesses. TLPT focuses on critical functions, realistic threat actors, live production environments, and the organization’s ability to detect, respond, and recover.

Is TLPT the same as red teaming?

Not exactly. In the TIBER-EU model, red team testing is one phase within a broader TLPT process that also includes scoping, threat intelligence, control-team oversight, reporting, remediation, and attestation.

Does TLPT use live production systems?

Yes. TIBER-EU describes it as a realistic intelligence-led red team test on live production systems, but one that is tightly controlled and governed to keep risk within acceptable limits.

Is TLPT mandatory under DORA for all financial entities?

No. DORA requires advanced testing by means of TLPT for certain financial entities identified as being in scope, not for every entity indiscriminately. The requirement is recurring, at least every three years for those identified entities.

Why is threat intelligence so important in TLPT?

Because TLPT is built around plausible threat actors, their motivations, and their tactics, techniques, and procedures. Under TIBER-EU, targeted threat intelligence is used to design the scenarios that the red team later operationalizes.

If penetration testing answers, “Where can we be exploited?”, TLPT answers a harder and more business-relevant question: “What happens to our critical functions when a realistic attacker tries, and how well do we detect and respond?” That is why TLPT is increasingly important for mature organizations, and why it has become especially significant for financial institutions operating under DORA and TIBER-EU.